If you discover a security vulnerability in EMWaver, please report it responsibly.
Do not open a public GitHub issue.
Instead, email security@continualmi.com with:
- A clear description of the vulnerability
- Steps to reproduce
- Affected components (app, firmware, transport, website)
- Any potential impact
We aim to acknowledge reports within 48 hours and provide an initial assessment within 5 business days.
The following components are in scope:
- Native apps (iOS, Android, macOS, Windows, Linux)
- Firmware (STM32, ESP32)
- Transport protocols (USB MIDI, BLE, Wi-Fi/WebSocket)
- The public website at emwaver.ai
- The shared Apple package (
apple/) - Rust crates under
crates/andlinux/crates/
The following are out of scope:
- The removed Gateway/CLI architecture (see
docs/DROP_GATEWAY_AND_LINUX.md) - Third-party services the apps may connect to (e.g., the MGPT Agent backend, which has its own security reporting path)
- Social engineering attacks
- Denial of service against the public website
EMWaver is in an early open-source release. We support the latest preview
release assets under the emwaver-preview GitHub Release tag and the latest
main branch. Mobile app store distributions (App Store, Google Play) are
updated through their respective store review cycles.
EMWaver is a local-first platform. Local hardware control does not require accounts, cloud activation, or hosted relay. Security reports about the local-first boundary (e.g., ways the app could be coerced into requiring network access for core hardware control) are particularly interesting to us.
The Agent features use a user-provided API key over HTTPS. The key is stored locally (Keychain on Apple platforms, encrypted SharedPreferences on Android, DPAPI-protected on Windows, Secret Service on Linux where available).